[7.11][Telemetry] Diagnostic Alert Telemetry

x-pack/plugins/security_solution/server/lib/telemetry/mocks.ts

@@ -0,0 +1,38 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { TelemetryEventsSender } from './sender';
+import { TelemetryDiagTask } from './task';
+
+/**
+ * Creates a mocked Telemetry Events Sender
+ */
+export const createMockTelemetryEventsSender = (
+  enableTelemtry: boolean
+): jest.Mocked<TelemetryEventsSender> => {
+  return ({
+    setup: jest.fn(),
+    start: jest.fn(),
+    stop: jest.fn(),
+    fetchDiagnosticAlerts: jest.fn(),
+    queueTelemetryEvents: jest.fn(),
+    processEvents: jest.fn(),
+    isTelemetryOptedIn: jest.fn().mockReturnValue(enableTelemtry ?? jest.fn()),
+    sendIfDue: jest.fn(),
+    fetchClusterInfo: jest.fn(),
+    fetchTelemetryUrl: jest.fn(),
+    fetchLicenseInfo: jest.fn(),
+    copyLicenseFields: jest.fn(),
+    sendEvents: jest.fn(),
+  } as unknown) as jest.Mocked<TelemetryEventsSender>;
+};
+
+/**
+ * Creates a mocked Telemetry Diagnostic Task
+ */
+export class MockTelemetryDiagnosticTask extends TelemetryDiagTask {
+  public runTask = jest.fn();
+}

x-pack/plugins/security_solution/server/lib/telemetry/sender.ts

@@ -14,6 +14,11 @@ import {
   TelemetryPluginStart,
   TelemetryPluginSetup,
 } from '../../../../../../src/plugins/telemetry/server';
+import {
+  TaskManagerSetupContract,
+  TaskManagerStartContract,
+} from '../../../../task_manager/server';
+import { TelemetryDiagTask } from './task';
 
 export type SearchTypes =
   | string
@@ -56,20 +61,34 @@ export class TelemetryEventsSender {
   private isSending = false;
   private queue: TelemetryEvent[] = [];
   private isOptedIn?: boolean = true; // Assume true until the first check
+  private diagTask?: TelemetryDiagTask;
 
   constructor(logger: Logger) {
     this.logger = logger.get('telemetry_events');
   }
 
-  public setup(telemetrySetup?: TelemetryPluginSetup) {
+  public setup(telemetrySetup?: TelemetryPluginSetup, taskManager?: TaskManagerSetupContract) {
     this.telemetrySetup = telemetrySetup;
+
+    if (taskManager) {
+      this.diagTask = new TelemetryDiagTask(this.logger, taskManager, this);
+    }
   }
 
-  public start(core?: CoreStart, telemetryStart?: TelemetryPluginStart) {
+  public start(
+    core?: CoreStart,
+    telemetryStart?: TelemetryPluginStart,
+    taskManager?: TaskManagerStartContract
+  ) {
     this.telemetryStart = telemetryStart;
     this.core = core;
 
-    this.logger.debug(`Starting task`);
+    if (taskManager && this.diagTask) {
+      this.logger.debug(`Starting diag task`);
+      this.diagTask.start(taskManager);
+    }
+
+    this.logger.debug(`Starting local task`);
     setTimeout(() => {
       this.sendIfDue();
       this.intervalId = setInterval(() => this.sendIfDue(), this.checkIntervalMs);
@@ -82,6 +101,38 @@ export class TelemetryEventsSender {
     }
   }
 
+  public async fetchDiagnosticAlerts() {
+    const query = {
+      expand_wildcards: 'open,hidden',
+      index: 'logs-endpoint.diagnostic.collection-default*',
+      ignore_unavailable: true,
+      size: this.maxQueueSize,
+      body: {
+        query: {
+          range: {
+            'event.ingested': {
+              gte: 'now-5m',
+              lt: 'now',
+            },
+          },
+        },
+        sort: [
+          {
+            'event.ingested': {
+              order: 'asc',
+            },
+          },
+        ],
+      },
+    };
+
+    if (!this.core) {
+      throw Error('could not fetch diagnostic alerts. core is not available');
+    }
+    const callCluster = this.core.elasticsearch.legacy.client.callAsInternalUser;
+    return callCluster('search', query);
+  }
+
   public queueTelemetryEvents(events: TelemetryEvent[]) {
     const qlength = this.queue.length;
 
@@ -109,6 +160,11 @@ export class TelemetryEventsSender {
     });
   }
 
+  public async isTelemetryOptedIn() {
+    this.isOptedIn = await this.telemetryStart?.getIsOptedIn();
+    return this.isOptedIn === true;
+  }
+
   private async sendIfDue() {
     if (this.isSending) {
       return;
@@ -121,9 +177,7 @@ export class TelemetryEventsSender {
     try {
       this.isSending = true;
 
-      // Checking opt-in status is relatively expensive (calls a saved-object), so
-      // we only check it when we have things to send.
-      this.isOptedIn = await this.telemetryStart?.getIsOptedIn();
+      this.isOptedIn = await this.isTelemetryOptedIn();
       if (!this.isOptedIn) {
         this.logger.debug(`Telemetry is not opted-in.`);
         this.queue = [];
@@ -245,9 +299,14 @@ const allowlistEventFields: AllowlistFields = {
   '@timestamp': true,
   agent: true,
   Endpoint: true,
+  Ransomware: true,
+  data_stream: true,
   ecs: true,
   elastic: true,
   event: true,
+  rule: {
+    ruleset: true,
+  },
   file: {
     name: true,
     path: true,

x-pack/plugins/security_solution/server/lib/telemetry/task.test.ts

@@ -0,0 +1,104 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { loggingSystemMock } from 'src/core/server/mocks';
+
+import { taskManagerMock } from '../../../../task_manager/server/mocks';
+import { TaskStatus } from '../../../../task_manager/server';
+
+import { TelemetryDiagTask, TelemetryDiagTaskConstants } from './task';
+import { createMockTelemetryEventsSender, MockTelemetryDiagnosticTask } from './mocks';
+
+describe('test', () => {
+  let logger: ReturnType<typeof loggingSystemMock.createLogger>;
+
+  beforeEach(() => {
+    logger = loggingSystemMock.createLogger();
+  });
+
+  describe('basic diagnostic alert telemetry sanity checks', () => {
+    test('task can register', () => {
+      const telemetryDiagTask = new TelemetryDiagTask(
+        logger,
+        taskManagerMock.createSetup(),
+        createMockTelemetryEventsSender(true)
+      );
+
+      expect(telemetryDiagTask).toBeInstanceOf(TelemetryDiagTask);
+    });
+  });
+
+  test('diagnostic task should be registered', () => {
+    const mockTaskManager = taskManagerMock.createSetup();
+    new TelemetryDiagTask(logger, mockTaskManager, createMockTelemetryEventsSender(true));
+
+    expect(mockTaskManager.registerTaskDefinitions).toHaveBeenCalled();
+  });
+
+  test('task should be scheduled', async () => {
+    const mockTaskManagerSetup = taskManagerMock.createSetup();
+    const telemetryDiagTask = new TelemetryDiagTask(
+      logger,
+      mockTaskManagerSetup,
+      createMockTelemetryEventsSender(true)
+    );
+
+    const mockTaskManagerStart = taskManagerMock.createStart();
+    await telemetryDiagTask.start(mockTaskManagerStart);
+    expect(mockTaskManagerStart.ensureScheduled).toHaveBeenCalled();
+  });
+
+  test('task should run', async () => {
+    const mockContext = createMockTelemetryEventsSender(true);
+    const mockTaskManager = taskManagerMock.createSetup();
+    const telemetryDiagTask = new MockTelemetryDiagnosticTask(logger, mockTaskManager, mockContext);
+
+    const mockTaskInstance = {
+      id: TelemetryDiagTaskConstants.TYPE,
+      runAt: new Date(),
+      attempts: 0,
+      ownerId: '',
+      status: TaskStatus.Running,
+      startedAt: new Date(),
+      scheduledAt: new Date(),
+      retryAt: new Date(),
+      params: {},
+      state: {},
+      taskType: TelemetryDiagTaskConstants.TYPE,
+    };
+    const createTaskRunner =
+      mockTaskManager.registerTaskDefinitions.mock.calls[0][0][TelemetryDiagTaskConstants.TYPE]
+        .createTaskRunner;
+    const taskRunner = createTaskRunner({ taskInstance: mockTaskInstance });
+    await taskRunner.run();
+    expect(telemetryDiagTask.runTask).toHaveBeenCalled();
+  });
+
+  test('task should not query elastic if telemetry is not opted in', async () => {
+    const mockSender = createMockTelemetryEventsSender(false);
+    const mockTaskManager = taskManagerMock.createSetup();
+    const telemetryDiagTask = new MockTelemetryDiagnosticTask(logger, mockTaskManager, mockSender);
+
+    const mockTaskInstance = {
+      id: TelemetryDiagTaskConstants.TYPE,
+      runAt: new Date(),
+      attempts: 0,
+      ownerId: '',
+      status: TaskStatus.Running,
+      startedAt: new Date(),
+      scheduledAt: new Date(),
+      retryAt: new Date(),
+      params: {},
+      state: {},
+      taskType: TelemetryDiagTaskConstants.TYPE,
+    };
+    const createTaskRunner =
+      mockTaskManager.registerTaskDefinitions.mock.calls[0][0][TelemetryDiagTaskConstants.TYPE]
+        .createTaskRunner;
+    const taskRunner = createTaskRunner({ taskInstance: mockTaskInstance });
+    await taskRunner.run();
+    expect(mockSender.fetchDiagnosticAlerts).not.toHaveBeenCalled();
+  });
+});

x-pack/plugins/security_solution/server/lib/telemetry/task.ts

@@ -0,0 +1,95 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { Logger } from 'src/core/server';
+import {
+  ConcreteTaskInstance,
+  TaskManagerSetupContract,
+  TaskManagerStartContract,
+} from '../../../../task_manager/server';
+import { TelemetryEventsSender, TelemetryEvent } from './sender';
+
+export const TelemetryDiagTaskConstants = {
+  TIMEOUT: '1m',
+  TYPE: 'security:endpoint-diagnostics',
+  INTERVAL: '5m',
+  VERSION: '1.0.0',
+};
+
+export class TelemetryDiagTask {
+  private readonly logger: Logger;
+  private readonly sender: TelemetryEventsSender;
+
+  constructor(
+    logger: Logger,
+    taskManager: TaskManagerSetupContract,
+    sender: TelemetryEventsSender
+  ) {
+    this.logger = logger;
+    this.sender = sender;
+
+    taskManager.registerTaskDefinitions({
+      [TelemetryDiagTaskConstants.TYPE]: {
+        title: 'Security Solution Telemetry Diagnostics task',
+        timeout: TelemetryDiagTaskConstants.TIMEOUT,
+        createTaskRunner: ({ taskInstance }: { taskInstance: ConcreteTaskInstance }) => {
+          return {
+            run: async () => {
+              await this.runTask(taskInstance.id);
+            },
+            cancel: async () => {},
+          };
+        },
+      },
+    });
+  }
+
+  public start = async (taskManager: TaskManagerStartContract) => {
+    try {
+      await taskManager.ensureScheduled({
+        id: this.getTaskId(),
+        taskType: TelemetryDiagTaskConstants.TYPE,
+        scope: ['securitySolution'],
+        schedule: {
+          interval: TelemetryDiagTaskConstants.INTERVAL,
+        },
+        state: {},
+        params: { version: TelemetryDiagTaskConstants.VERSION },
+      });
+    } catch (e) {
+      this.logger.error(`Error scheduling task, received ${e.message}`);
+    }
+  };
+
+  private getTaskId = (): string => {
+    return `${TelemetryDiagTaskConstants.TYPE}:${TelemetryDiagTaskConstants.VERSION}`;
+  };
+
+  public runTask = async (taskId: string) => {
+    this.logger.debug(`Running task ${taskId}`);
+    if (taskId !== this.getTaskId()) {
+      this.logger.debug(`Outdated task running: ${taskId}`);
+      return;
+    }
+
+    const isOptedIn = await this.sender.isTelemetryOptedIn();
+    if (!isOptedIn) {
+      this.logger.debug(`Telemetry is not opted-in.`);
+      return;
+    }
+
+    const response = await this.sender.fetchDiagnosticAlerts();
+
+    const hits = response.hits?.hits || [];
+    if (!Array.isArray(hits) || !hits.length) {
+      this.logger.debug('no diagnostic alerts retrieved');
+      return;
+    }
+
+    const diagAlerts: TelemetryEvent[] = hits.map((h) => h._source);
+    this.logger.debug(`Received ${diagAlerts.length} diagnostic alerts`);
+    this.sender.queueTelemetryEvents(diagAlerts);
+  };
+}

x-pack/plugins/security_solution/server/plugin.ts

@@ -316,7 +316,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
       );
     });
 
-    this.telemetryEventsSender.setup(plugins.telemetry);
+    this.telemetryEventsSender.setup(plugins.telemetry, plugins.taskManager);
 
     return {};
   }
@@ -369,7 +369,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
       this.logger.debug('User artifacts task not available.');
     }
 
-    this.telemetryEventsSender.start(core, plugins.telemetry);
+    this.telemetryEventsSender.start(core, plugins.telemetry, plugins.taskManager);
     this.licensing$ = plugins.licensing.license$;
     licenseService.start(this.licensing$);
     this.policyWatcher = new PolicyWatcher(